LLC.

Hosted Solutions A Hackers Haven

Human beings are lazy by nature.If there is a choice to be made between a complicated technology solution and an easy technology solution, then nine times out of ten people will choose the easy solution.The problem is that the easy solutions are often riddled with hidden risks and those risks can end up costing the consumer more money in damages then what might be saved by using the easy solution.
The advantages of using a managed hosting provider to host your email, website, telephone systems, etc, are clear.When you outsource critical infrastructure components you save money.The savings are quickly realized because you no longer need to spend money running a full scale IT operation.In many cases, you don’t even need to worry about purchasing hardware, software, or even hiring IT staff to support the infrastructure.
What isn’t clear to most people is the serious risk that outsourcing can introduce to their business.In nearly all cases a business will have a radically lower risk and exposure profile if they keep everything in-house.This is true because of the substantial attack surface that hosting providers have when compared to in-house IT environments.
For example, a web-hosting provider might host 1,000 websites across 50 physical servers.If one of those websites contains a single vulnerability and that vulnerability is exploited by a hacker then the hacker will likely take control of the entire server.At that point the hacker will have successfully compromised and taken control of all 50 websites with a single attack.
In non-hosted environments there might be only one Internet facing website as opposed to the 1000 that exist in a hosted environment.As such the attack surface for this example would be 1000 times greater in a hosted environment than it […]

Cambium Group, LLC. CAMAS Advisory

We’ve finally released the Cambium Group, LLC Content Management System (“CAMAS”) advisory after much waiting and debate. These security risks were discovered in CAMAS during a customer penetration test that we did in August of 2007 (we notified the Cambium Group about these risks on 08/24/2007). The security vulnerabilities that are disclosed in the advisory are kept very high level and low detail as to not arm any potentially malicious people. Unfortunatley the vulnerabilities still exist today (almost two years later) according to some recent Google research that we did. In fact, according to Google’s cache the Cambium Group’s own website was vulnerable as of Feburary 9th 2009 to the exact same vulnerabilities that we alerted them to on 08/24/07 (see the screen shot below).We can’t ethically test Cambium Group customer’s websites without their permission, hence why we rely on Google for this information. Google sometimes triggers vulnerabilities in websites while crawling them and the results get recorded to Google’s database. When that happens they become searchable (and get cached). Malicious hackers and script kiddies also use Google in this way to identify websites that are vulnerable to SQL Injection. This gives them an easy set of targets that they can compromise with little effort.You can check to see if Google stumbled upon a vulnerability in your instance of CAMAS by using the following technique. Type the following string into the Google search engine but replace www.company.com with your company’s domain (see the screen shot below as an example.) String (without the quotes): “inurl:www.yourcompany.com 1064 You have an error in your SQL”When you hit the search button (and if Google has a cached version of your website being vulnerable) you […]

Need a Penetration Testing Quote?Get A Quote